topic Re: LDAP auth not working for Palo login in General Topics

LDAP auth not working for Palo login

M.Allen — Tue, 30 Jul 2024 11:01:30 GMT

Hi all,

I have deployed a new Palo and configured LDAP auth but I am getting an error. I checked the BIND account is active and all settings appear ok, anything else to troubleshoot this?

Reason: Internal error, e.g. network connection, DNS failure or remote server down.

Re: LDAP auth not working for Palo login

reaper — Tue, 30 Jul 2024 11:37:00 GMT

the destination LDAP server is allowed to authenticate users? (RODC will not be able to perform this function i think)

- do you have service connections configured?

- did you double-check connectivity is allowed (in the ldap profile, click the 'Base DN' dropdown to see if the domain loads)

- run a tcpdump from cli listening for port 389 or 636 to see if your connections go out and get replied to

Re: LDAP auth not working for Palo login

M.Allen — Tue, 30 Jul 2024 14:16:00 GMT

Thanks for your reply Reaper.

Where would I configure service connections, I do not think I have done that part..

Also for checking connectivity there is no drop down option within the ldap profile as seen below..

Re: LDAP auth not working for Palo login

reaper — Wed, 31 Jul 2024 07:54:20 GMT

Service connections are in device > setup > services >service route configuration

In regards to the dropdown, this will only work when you do this from the firewall, not panorama

Re: LDAP auth not working for Palo login

M.Allen — Wed, 31 Jul 2024 10:01:43 GMT

All firewalls within the network use default management for all services so I believe this is correct.

As for the dropdown it states read only on the firewall..

Re: LDAP auth not working for Palo login

M.Allen — Wed, 31 Jul 2024 10:34:56 GMT

Here is the tcpdump...

admin@Firewall01> view-pcap mgmt-pcap mgmt.pcap

reading from file /opt/pan/.debug/mgmtpcap/mgmt.pcap, link-type EN10MB (Ethernet)

11:28:37.895803 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [S], seq 3465360357, win 29200, options [mss 1460,sackOK,TS val 414589708 ecr 0,nop,wscale 7], length 0

11:28:37.896330 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [S.], seq 2111673635, ack 3465360358, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

11:28:37.896392 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 1, win 229, length 0

11:28:37.897962 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 1:290, ack 1, win 229, length 289

11:28:37.899518 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [P.], seq 1:3773, ack 290, win 8212, length 3772

11:28:37.899560 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 3773, win 288, length 0

11:28:37.911228 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 290:460, ack 3773, win 288, length 170

11:28:37.912785 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [P.], seq 3773:3824, ack 460, win 8211, length 51

11:28:37.912992 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 460:565, ack 3824, win 288, length 105

11:28:37.913689 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [P.], seq 3824:3963, ack 565, win 8211, length 139

11:28:37.913934 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 565:601, ack 3963, win 310, length 36

11:28:37.913976 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 601:632, ack 3963, win 310, length 31

11:28:37.914003 IP 10.240.199.241.47368 > TWDC05.XXX.XXX.UK.ldaps: Flags [F.], seq 632, ack 3963, win 310, length 0

11:28:37.914453 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47368: Flags [R.], seq 3963, ack 632, win 0, length 0

11:28:39.128436 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [S], seq 2893699587, win 29200, options [mss 1460,sackOK,TS val 414590940 ecr 0,nop,wscale 7], length 0

11:28:39.128969 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [S.], seq 1970587809, ack 2893699588, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

11:28:39.129018 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 1, win 229, length 0

11:28:39.130518 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 1:290, ack 1, win 229, length 289

11:28:39.132071 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [.], seq 1:2921, ack 290, win 8212, length 2920

11:28:39.132109 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 2921, win 274, length 0

11:28:39.132124 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [P.], seq 2921:3773, ack 290, win 8212, length 852

11:28:39.132143 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [.], ack 3773, win 297, length 0

11:28:39.145406 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 290:460, ack 3773, win 297, length 170

11:28:39.147020 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [P.], seq 3773:3824, ack 460, win 8211, length 51

11:28:39.147353 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 460:565, ack 3824, win 297, length 105

11:28:39.148024 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [P.], seq 3824:3963, ack 565, win 8211, length 139

11:28:39.148655 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 565:601, ack 3963, win 320, length 36

11:28:39.148700 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [P.], seq 601:632, ack 3963, win 320, length 31

11:28:39.148727 IP 10.240.199.241.47376 > TWDC05.XXX.XXX.UK.ldaps: Flags [F.], seq 632, ack 3963, win 320, length 0

11:28:39.149190 IP TWDC05.XXX.XXX.UK.ldaps > 10.240.199.241.47376: Flags [R.], seq 3963, ack 601, win 0, length 0

Re: LDAP auth not working for Palo login

CosminM — Wed, 31 Jul 2024 10:35:10 GMT

Hello @M.Allen ,

Your issue can have multiple causes:

First, I would check Bind DN. It's needed the full Bind DN (https://advanxer.com/2017/08/how-to-obtain-the-base-dn-or-bind-dn-attributes-from-active-directory/

Then you need to be sure that the SSL certificate presented by the server it's trusted for the firewall. Maybe you need to import some Enterprise CA into your firewall.

You can look also in auth.log for the problems.

less mp-log authd.log

Re: LDAP auth not working for Palo login

M.Allen — Wed, 31 Jul 2024 16:19:17 GMT

Hi Cosim,

Thanks for that. I have added the certs as they were missing and re-added the Bind DN and password.

I can see in the logs the errors below. Do I require a policy to allow a connection to the DNS or LDAP servers as I have not added any..

Re: LDAP auth not working for Palo login

M.Allen — Wed, 31 Jul 2024 17:00:21 GMT

I can ping the DNS name of the LDAP servers from the firewall CLI, and traceroute without issue

Re: LDAP auth not working for Palo login

PavelK — Thu, 01 Aug 2024 03:31:42 GMT

Hello @M.Allen

based on tcpdump output it looks like your LDAP server is sending RST.

To narrow down the issue, could you temporarily disabled LDAPS by deselecting: "Require SSL/TLS secured connection". If it works with LDAP, the the issue is likely related to certificate. Make sure that entire enterprise CA chain is imported into Firewall.

If it still does not work even after disabling LDAPS, then next step would looking into details of authd.log. Also make sure that BIND DN account is not locked out/disabled.

Kind Regards

Pavel